superboy-zjc
commented
3 years ago In addition, you can see that the newline input through Turbo Intruder lacks ”/r“, which leads to the failure of the attack.
Closed superboy-zjc closed 3 years ago
superboy-zjc
commented
3 years ago In addition, you can see that the newline input through Turbo Intruder lacks ”/r“, which leads to the failure of the attack.
albinowax
commented
3 years ago Thanks for the report. Which operating system are you using?
albinowax
commented
3 years ago As a pointer, my guess is that this is occurring because you're using an OS that uses \n as line-endings, and you have defined your injection using a multi-line string. You can work around this by adding .replace('\n','\r\n') on the end of the injection string.
superboy-zjc
commented
3 years ago Thanks for the report. Which operating system are you using?
Windows 10
superboy-zjc
commented
3 years ago As a pointer, my guess is that this is occurring because you're using an OS that uses \n as line-endings, and you have defined your injection using a multi-line string. You can work around this by adding .replace('\n','\r\n') on the end of the injection string.
thanks for your solution!
albinowax
commented
3 years ago I've patched this now: https://github.com/PortSwigger/http-request-smuggler/commit/165815a6d0e2f79dab72369974784ccb8615336a
Thanks again for the report!
When using CL.TE to attack the module, I found that there is only one newline after the 0 terminator of the data block, and it should be two newlines under normal circumstances.